Newly discovered malicious software dubbed "MACDefender" takes aim at users of the Mac OS X operating system by automatically downloading a file through JavaScript. But users must also agree to install the software, leaving the potential threat limited.

The new MACDefender malware was first noted on Saturday"> by users of the Apple Support Communities, and was highlighted on Monday by antivirus company Intego. If the right settings are enabled in Apple's Safari browser, MACDefender can be downloaded to a system after a user clicks a link while searching the Internet.

"When a user clicks a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file," Intego said. "In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open 'safe' files after downloading in Safari, for example), will open."

However, users must still agree to install the malware after it downloads. After the ZIP file is extracted, users are presented with the "MACDefender Setup Installer," at which point they must agree to continue and provide an administrator password.

Because of the fact that users must agree to install the software and provide a password, Intego categorized the threat with MACDefender as "low."

Users on Apple's support forums advise killing active processes from the application using the Mac OS X Activity Monitor. MACDefender can then be deleted from the Applications folder by dragging it into the trash.

So let me get this straight:

1 - I must search for something on the Internet that leads me to that link (probably suspicious already);
2 - Javascript, IF activated, will start downloading a file, even though such a process can be stopped in the Safari downloads window;
3 - The suspicious ZIP file MUST be opened;
4 - I must OPEN the suspicious file, which will then lead me to a suspicious installer;
5 - I must AUTHORIZE the computer to install the suspicious file by providing my password;
6 - EVEN after doing all that, I can just kill processes and delete the file so that all is fine again.

And people still wanna call that "virus" or "malware"? Gimme a break! I've got a lot more damage from script kiddies who once sent me a disguised terminal command as a PDF file. This is a non-issue...

While I wouldn't want to discourage folks from taking precautions, I will say that I think security issues on all the major platforms are currently in pretty good shape. The days where Microsoft did things like automatically and without the user's knowledge ran web servers as administrator on everyone's machine are over.

I run a couple medical/science forums and we get tons of porn/scam/spammer posting every night. At least twice a day I spend 15 minutes deleting dozens of bogus users, links to hacked sites and spam. No one is getting killed but the lawlessness is certainly rampant. Most is coming from Russian Federation, and some from China. The recent DoS and compromise of 10 million credit cards on Sony's server is evidence that there is a huge bot net out there of compromised personal computers, mostly home machines I would imagine.

The harder you shout at us that there is a terrible problem waiting that is identical to the issues on Windows, and that we must load ourselves down with junk or shackle ourselves to the beast, the more we will call bull on you. . .
Users need education about the hazards out there, but anti-virus doesn't provide education, and it does not usually provide protection from new vectors without being updated, so its practically worthless, regardless of your breathless intonations that it is the only solution.

You're right to bring to my attention that any further attempts to educate users will probably fall on deaf ears.

If I read correctly, you don't have to "install it yourself". You only need to agree for it to continue. In essence it works just like the malware hidden in a few Android Market apps last year. It/they couldn't load itself without the user agreeing to allow it to continue the installation.

Sorry, clicking continue in an obvious installer window requires you to mentally agree to an installation and if you did not think you were in the process of installing something that pretty is guaranteed to ring alarm bells.

I do not understand why those malware writers don't get smart and create installers that look exactly like installers that you expect to pop-up out of nowhere, eg, the Adobe Acrobat/Reader installers which check at non-transparent intervalls and will pop-up an installer window at unexpected moments. (Maybe a good time to uncheck that 'Automatically download updates' setting in Acrobat/Reader and rely on other channels for update notifications, eg, AppFresh or App Update.)

You cannot protect everyone absolutely securely. Traffic and safety laws are a good complementary example of this. If everyone follows the rules you will have significantly fewer traffic issues and accidents. However you cannot, practically speaking, MAKE everyone follow the rules 100% of the time.

Good example, you can make cars safer but you can never prevent that some people will injure or kill themselves with them.

I am sure there are, just a very, very small number. Safety holes that allow for somebody to install something on your computer are fixed all the time which means they have existed until they got fixed. Luckily, very few people knew about and exploited them.

If you dislike Chrome, you should consider the new Firefox over Chrome. It has a streamlined interface (I used to hate it), more standards complaint, tabs on top, and more plugins.

Chrome is just a data mining venture for Google. It calls home repeatedly throughout a session. By comparison, Safari calls home maybe once a month to check for updates. Firefox also calls home, but only if you let it.

I make these claims based on Little Snitch telling me.

Quote:

Originally Posted by DanaCameron

Not that I would have installed this malware when prompted, but the timing is curious. I just switched to Chrome last week and haven't been using Safari. Gotta admit, Chrome's pretty sweet so far.

That's dancing around the question, IMHO. The closest you can prove something doesn't exist in the computer virus/malware world is to show that people haven't had their machines infected. I've been using Macs for about 23 years and had one infection... about 17 years ago. I don't know of any stories in the past decade or so of people having their Macs infected.

The whole "security by obscuring is ending" is a slogan I've heard for almost 10 years. I suppose it could come true at some point but it sure doesn't seem like it has yet. Why not?

By contrast, I had my work Windows machine get infected last year without ever agreeing to instal via password or whatever. It was so bad our Fortune 500 IT department couldn't fully clean it and had to order a new hard disk drive to instal and start over.

If you dislike Chrome, you should consider the new Firefox over Chrome. It has a streamlined interface (I used to hate it), more standards complaint, tabs on top, and more plugins.

I missed Safari 4.0 beta having tabs on top. Chrome and Firefoxs tabs on top still takes up more vertical space than Safari 4.x with tabs underneath with the bookmark bars active, the last time I checked.

For me its now a moot point as Lions fullscreen apps are turning out to be very useful with the four finger swipes and Mission Control.

I cant say I use many plug-ins. ClickToFlash, Ultimate Status Bar, a native H.264 video option, and a Javascript blacklist plug-in are all I use.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"

Good point. Mac OS can be as easily compromised by smart hackers as any other OSes. Its primary protection is relatively low market share (still). But this will change because of Apple's increasing profile/notoriety. The iOS devices will be targeted too.

Mac users have to be smart enough to consider the same steps of protection as Windows users, including installing anti-malware programs. Some will arrogantly defend Mac OSX as a fortress against viruses. But that is just not true.

It can't easily be compromised at all and anyone who says so doesn't understand what is going on.

If the Mac was so easy to hack then EVERY Linux and BSD box would be so easy as well because the underlying structure, especially with BSD, is relatively the same. If it is attacking Safari then what part is it attacking because it should be affecting WebKit, KHTML, and Chrome and every other WebKit based browser?

This one doesn't, in fact it doesn't actually attack any browser it's just that Safari's default option to run "Safe Downloads" is causing the problem to be noticed. Personally I turn this feature off.

No one has actually said what this malware does so we don't even know if it is as bad as it is being made out to be anyway.

The reason why Macs aren't being affected by malware in particular viruses is not because of low market share because there is a huge share of UNIX based operating systems out there on the market, is because the system is far more secure than Windows. It's trivial to write malware on Windows that can easily propagate without any user interaction and yet it is extremely difficult for that to be the case on a UNIX based system because unlike Windows UNIX was built from the ground up to be fully secure. Windows wasn't because it is built on top of DOS which had NO security at all.

Look at the security contests that Charlie Miller keeps winning. Windows is being hacked ONSITE whereas the Mac actually has to be worked on two months in advance to find a hole. That's a pretty massive difference in terms of security.

Can Mac users really be so complacent? Yes, because the threats are so low. 0 viruses for Macs are in the wild and only some dodgy sites which make up such a small percentage of the internet have malware.

Windows on the other hand can simply be a matter of opening an e-mail... not an attachment but just the e-mail can install a virus.

The biggest threat to any computer system, be it Mac, Windows, *NIX, etc is the person sitting at the desk. PEBKAC - Problem Exists Between Keyboard And Chair. Stop going to the porn sites and the Warez sites and the LOLCats sites and playing dumb quizzes on Facebook and downloading torrents and your machine will be relatively fine. Go to these sites and risk your machine getting infected. It's simple education.

I have more issues with FF. The last couple updates have really slowed down my MacPro. Every time I launch FF, it takes almost 30 seconds of beach ball before it is ready to go.

Hard to determine which exact sites Safari has problems with. It's random.
My guess would be that Safari isn't playing nice with Flash - or FF handles Flash better.
FF also seems to resolve DNS faster - Safari seems to hang for 4 -10 seconds before loading or re-directing at times. This was the main reason I switched to FF. Themes being the other.

FF4 does load a little slower.
Don't get the beach ball thou. All I'm running for add-on's and plugs is a customized theme.
Screams on my MacPro.

I don't see the same stalling on my iPod, so my guess is Flash might be the culprit.

You cannot protect everyone absolutely securely. Traffic and safety laws are a good complementary example of this. If everyone follows the rules you will have significantly fewer traffic issues and accidents. However you cannot, practically speaking, MAKE everyone follow the rules 100% of the time.

Ironically when it comes to rules the opposite is true.

Rules cause more problems than they are worth. This can be seen with Denmark, England, France, and I think it was Austria. In each of these countries one town acted as a test whereby all the road rules were removed, all the road markings were removed, and all the road signs bar streetname signs were removed. The footpaths were merged with the roads so there was no distinction between pedestrians and cars. The result was a massive drop in crashes. In essence by removing road rules the roads became safer.

The reason for this was because instead of having rules they had one principle... "You hit someone you're going down".

Essentially to make things safe you need to hold people accountable for their actions. By having rules you remove accountability and install rights. People demanding their rights to be upheld encroach on other's rights and so everything becomes bedlam.

It's the same with the Internet. You can't blame the people who make the dodgy site if you visit that site knowing it's dodgy and you get attacked. That would be like walking through a dark alley at night in the baddest part of town and getting indignant when you get mugged. Your actions bought trouble to yourself.

Rules cause more problems than they are worth. This can be seen with Denmark, England, France, and I think it was Austria. In each of these countries one town acted as a test whereby all the road rules were removed, all the road markings were removed, and all the road signs bar streetname signs were removed. The footpaths were merged with the roads so there was no distinction between pedestrians and cars. The result was a massive drop in crashes. In essence by removing road rules the roads became safer.

The reason for this was because instead of having rules they had one principle... "You hit someone you're going down".

Essentially to make things safe you need to hold people accountable for their actions. By having rules you remove accountability and install rights. People demanding their rights to be upheld encroach on other's rights and so everything becomes bedlam.

It's the same with the Internet. You can't blame the people who make the dodgy site if you visit that site knowing it's dodgy and you get attacked. That would be like walking through a dark alley at night in the baddest part of town and getting indignant when you get mugged. Your actions bought trouble to yourself.

Sometimes rules work and sometimes they don't and it is not always the users fault when something goes wrong with the system. Sometimes they accidentally end up in the wrong part of the Internet.

<tangent>
A friend of mine from Oregon moved to Connecticut back in the 80s. Shortly after he moved there his parents and his young niece drove out to the east coast in their motorhome to visit him. He gave them some driving directions. "Once you get across the George Washington Bridge get on i95 North then exit on Exit #9." Only problem was he forgot to say: "Once you reach Connecticut" exit on Exit #9." Exit #9 in NY is a whole different neighborhood, if you know what I mean. They were lucky to get out of there without mishap.
</tangent>

What you may not understand is this is exactly the same situation on a Windows machine. The malware doesn't load itself. It requires your acceptance.

There are Windows malware programs that block this exact attack. Avast is one of those. I suspect that there are solutions for OS x too. Some browsers are also giving you a security alert, or blocking the malware before you're given the option to load it.

Apparently denying that malware can find it's way into Apple devices just as well as Windows is more important than acknowledging that basic security software may be beneficial to many users of Apple devices.

Quote:

Originally Posted by Gatorguy

You're right to bring to my attention that any further attempts to educate users will probably fall on deaf ears.

Thanks. I made what points I could. No more shouting.

I suppose that I failed to use language that you were able to understand... No one reading this board is going to fall for the exploit indicated here. Therefore, your foolish shouts of hysteria and doom are being peddled to the wrong group of people.

I surely admitted that Macs could be victimized, but it would take someone lacking even the most basic skills to load the weapon and pull the trigger on themselves. There is no anti-virus application that will assist this type of user. This has nothing to do with you breathlessly warning all of us here that the sky is falling and we must use your (or your platform's) past failures as a guide to our future experiences on the web.

This is a social exploit that only works if a user has not set their preference in Safari to not run downloaded files automatically. Apple gave us this preference option years ago, and they assume we know how to check and set our preferences. This is all that Apple could do, and if the idiots falling for this exploit would change that single preference the problem would go away in its entirety, with absolutely no need for anti-virus, your pointless pontifications to the contrary.

If a problem comes up that is genuinely new and genuinely a problem, then of course I want education about solving the problem, and if Apple is able to, I want them to provide a fix for the problem. The thing with this one is the attack vector is an old one that Apple has actually resolved, if you are interested in knowledge and not simply peddling FUD.

I pray that I have given you the boon of better knowledge and understanding of my previous post's intent. If not, oh, well....

Not that I would have installed this malware when prompted, but the timing is curious. I just switched to Chrome last week and haven't been using Safari. Gotta admit, Chrome's pretty sweet so far.

I just deleted Chrome after it's annoying habit of seeming to show an image of a page with unclickable links (until the page actually finishes loading) and continuous crashes on javascript and Flash heavy pages.

I gave it a good few months but finally had enough.

Good riddance to bad rubbish.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.

Reading the posts above, a couple of things that Apple could do to protect the average user are to:

(1) Have the initial setup routine create a separate admin user by default.

(2) Have the initial setup routine explain to users what this means.

A computer is the world's best automated teaching tool and Apple won't use it to educate people about what they need to know to use their computer. They have created the idea that a Mac just works, but have forgotten to make it just work.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

One minor flaw in step 2. No one cares. It's disgusting and sad, but it's the truth.

I think the approach should be that your Mac is safe to use and, if you want to fiddle, then there's a clear place to go to learn about it.

Computers are used to make learning about all sorts of subjects fun, except for how to use your computer. It's weird, though it does comply with my general view that computer people are the worst users ( and designers ) of computers.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Secure should be the default, then convenience and speed can come as a user educates themselves, not the other way around.

If this is selected, Safari automatically opens the types of files listed, but it won’t open software programs.

So the user has to be clueless at least three times:

Pay attention to the bogus instructions on the site
Double click the application installer in the downloads directory once it unarchives
Disregard Apple warning that application came from the Internet
Enter the admin password
Then the icing on the cake is to give them your credit card number
Of course ignoring the fact that it is not an SSL site.

Let's face it, Safari is a bit balls. Even the most avid fan has to admit it's way down the list of browsers for anyone that uses a wide variety of sites. It still won't let me list items on eBay without signing in three times and randomly losing my listing. Not to mention it only allowed the font and colour changes about 4 months ago.

Apparently denying that malware can find it's way into Apple devices just as well as Windows is more important than acknowledging that basic security software may be beneficial to many users of Apple devices.

And maybe what you don't understand... Is all new viruses, malware, or "whatever" types of attacks are caught in hindsight by all those so called protective antivirus/maleware programs wether on the Mac or on Windows. You are not protected with them until the malware is recognized and you have download new virus definitions for it. Unless you're lucky or very net savvy, it's too late. So what good are they for?

As a Mac user, I don't think not wanting to put software that will surely slow my Mac down and possibly create conflicts with its normal programs when the antivirus won't even protect me until after the damage is done. Window users aren't protected either but they're so paranoid, thanks to Microsoft's past security failures, they believe these antivirus programs are needed to protect them from a new attack. NOT!

This matters even in online banking: you have know which separator to use, German online banking will not accept an amount written with a dot and Swiss online banking will not accept an amount written with a comma.

And maybe what you don't understand... Is all new viruses, malware, or "whatever" types of attacks are caught in hindsight by all those so called protective antivirus/maleware programs wether on the Mac or on Windows. You are not protected with them until the malware is recognized and you have download new virus definitions for it. Unless you're lucky or very net savvy, it's too late. So what good are they for?

As a Mac user, I don't think not wanting to put software that will surely slow my Mac down and possibly create conflicts with its normal programs when the antivirus won't even protect me until after the damage is done. Window users aren't protected either but they're so paranoid, thanks to Microsoft's past security failures, they believe these antivirus programs are needed to protect them from a new attack. NOT!

I don't think you've kept up with features in some of the newer antivirus packages and how they're used to detect and block previously unknown malware, trojans and viruses.

Well, I suppose that you only searched and did not actually read the link you provided, but out of 15 packages tested, only six were better than 50% effective at unknown threats, only two were better than 60% and only one was better than 70% (71%). This means that the very best package allows you to be tagged more than 25% of the time and most of the packages are less than 50% effective. I hope I get the viruses that are in the 50% covered range, lol. I really hope those 50% not detected viruses get someone else... (face/palm).

How you can highlight this finding as a credible reason to acquire and use AV software is beyond me. An empirical 29% or greater fail rate for something that you think is essential/mandatory is a fail for me. The fact that the website you link to only lists one failure out of the 15 packages (a 12% score) doesn't stack up against the college scoring system I think most people are familiar with (you know, A - 91-100, B - 81-90, C - 71-80, D - 61-70, F - <60). On that effectiveness scoring system, all but two packages failed and no package made better than a C-. Scoring using a bell curve, with a mean and standard deviations would result in a less harsh overall grade rate, but if we are concerned with finding and defeating actual unknown threats this is no time to go easy on someone is it? I suppose 71% is better than nothing, but if I am this exposed with the best protection money can buy, I reckon I am doomed.

Let's face it, Safari is a bit balls. Even the most avid fan has to admit it's way down the list of browsers for anyone that uses a wide variety of sites. It still won't let me list items on eBay without signing in three times and randomly losing my listing. Not to mention it only allowed the font and colour changes about 4 months ago.

That's not Safari's issue. That's Ebay. The client-server handshaking is controlled on the server-side. Sniff the javascript for Ebay some time.

Well, I suppose that you only searched and did not actually read the link you provided, but out of 15 packages tested, only six were better than 50% effective at unknown threats, only two were better than 60% and only one was better than 70% (71%). This means that the very best package allows you to be tagged more than 25% of the time and most of the packages are less than 50% effective. I hope I get the viruses that are in the 50% covered range, lol. I really hope those 50% not detected viruses get someone else... (face/palm).

How you can highlight this finding as a credible reason to acquire and use AV software is beyond me. An empirical 29% or greater fail rate for something that you think is essential/mandatory is a fail for me. The fact that the website you link to only lists one failure out of the 15 packages (a 12% score) doesn't stack up against the college scoring system I think most people are familiar with (you know, A - 91-100, B - 81-90, C - 71-80, D - 61-70, F - <60). On that effectiveness scoring system, all but two packages failed and no package made better than a C-. Scoring using a bell curve, with a mean and standard deviations would result in a less harsh overall grade rate, but if we are concerned with finding and defeating actual unknown threats this is no time to go easy on someone is it? I suppose 71% is better than nothing, but if I am this exposed with the best protection money can buy, I reckon I am doomed.

Thanks for the information.

Yes, I actually read the entire page and actually use one of the packages.

For my 2¢ I stopped using Safari a couple months ago after the last threat. Now I only use Chrome and Firefox, plus Safari runs slow at times for me even on a new Mac while Chome and FF are faster, and I like how if a site crashes it only crashes that tab not the whole broswer. Sorry Apple, but Safari has a ways to go to me.